Information security officers are growing increasingly
complacent, suggest the recent findings from the 2007 E-Crime
Watch Survey, conducted by Carnegie Mellon University Software Engineering
Institute’s Computer Emergency Response Team (CERT).
According to the research, which was conducted in
conjunction with the US Secret Service, average spending on IT security dropped
by 5% in 2006 while overall corporate security expenditure fell a chunky 15%. Despite
tightening budgets, however, 69% of respondents said they are now better able
to handle e-crime incidents than in previous years.
Meanwhile, the incidence of e-crime continues to
grow rapidly, with nearly 50% of surveyed organisations having experienced an
e-crime incident in 2006, representing an 11% increase on 2005.
The figures suggest that security officers’
increased confidence in their ability to combat the threat of e-crime is
misplaced. The situation may in part be a result of an ongoing tendency to overlook
the so-called ‘insider threat’, the profile of which has long-been obscured.
According to CERT, the proportion of organisations
that make use of background checks on employees fell from 73% in 2005 to only
57% in 2006. Furthermore, the number of organisations deploying standard internal
controls such as operating an account password management policy slipped from
its high of 91% in 2005 to 84% in 2006, while the practice of employee
monitoring fell out of use by a staggering 17% of organisations over the course
of the year.
Employee security awareness training was the biggest
loser however, falling from 68% in 2005 to 38% in 2006.
“It is important that organisations are proactive
in their approach to mitigating insider threats,” says Dawn Cappelli, Senior
Member of the Technical Staff at CERT. “Our research has shown that those very
policies and practices that respondents are cutting back on are critical in
mitigating insider threats.”
In August, Information
Age reported on the growing incidence of insider related security breaches,
in particular the increasingly common problem of data leakage which, according
to the FBI Computer Crime and Security Survey of 2006, cost on average $4.6
million per organisation in 2006.